Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: gpg.htm

GPG 1.0.3 can fail to check for altered signed messages



Vulnerability

    GPG

Affected

    GPG 1.0.3

Description

    Jim Small found following.  Attached is multiple copies of a  file
    he had  signed.   Then he  started modifying  parts of  the SIGNED
    message to  see if  gpg could  detect that  the messages  had been
    altered.   It did  not detect  them, so  long as  the last  signed
    message had not been altered.

    Save this advisory as newfile.asc and run

        gpg --verify newfile.asc -o /dev/null

    to see for yourself (the key  it was signed with is available  via
    keyservers).

        asdfasfasdfd


        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        I just added by one stuff to thie message
        bogugfirst file encrypted with nobody dude on uinix box, send to nethole forpmail

        this is actually encrypted with a valid pgpg key imported form win95

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.3 (GNU/Linux)
        Comment: For info see http://www.gnupg.org

        iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
        =siBR
        -----END PGP SIGNATURE-----

        middle stuff


        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        another wrong
        first file encrypted with nobody dude on uinix box, send to nethole forpmail

        this is actually encrypted with a valid pgpg key imported form win95

        another file
        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.3 (GNU/Linux)
        Comment: For info see http://www.gnupg.org

        iD8DBQE538hvZi9y1BQncn4RAolnAKCwEJTyPm6895ybQfk1D5IfeqJjmwCg4MlP 3NbvJocg5ksql40aOTZf0MY=
        =yBf2
        -----END PGP SIGNATURE-----



        asfasfasf end stuff
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        first file encrypted with nobody dude on uinix box, send to nethole forpmail

        this is actually encrypted with a valid pgpg key imported form win95

        bogud

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.3 (GNU/Linux)
        Comment: For info see http://www.gnupg.org

        iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
        =siBR
        -----END PGP SIGNATURE-----

        stuff


        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        first file encrypted with nobody dude on uinix box, send to nethole forpmail



        this is actually encrypted with a valid pgpg key imported form win95

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.3 (GNU/Linux)
        Comment: For info see http://www.gnupg.org

        iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
        =siBR
        -----END PGP SIGNATURE-----
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        first file encrypted with nobody dude on uinix box, send to nethole forpmail

        this is actually encrypted with a valid pgpg key imported form win95

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.0.3 (GNU/Linux)
        Comment: For info see http://www.gnupg.org

        iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
        =siBR
        -----END PGP SIGNATURE-----
        gpg: Signature made Sat Oct  7 17:47:33 2000 PDT using DSA key ID 1427727E
        gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg:                aka "Jim Small <smallj@pacbell.net>" gpg:                aka "James F. Small, Jr. <smallj@saic.com>" gpg:                aka "James F. Small, Jr. <smallj@small.cx>" gp
        g: Signature made Sat Oct  7 18:05:51 2000 PDT using DSA key ID 1427727E
        gpg: BAD signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: Signature made Sat Oct  7 17:47:33 2000 PDT using DSA key ID 1427727E
        gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg:                aka "Jim Small <smallj@pacbell.net>" gpg:                aka "James F. Small, Jr. <smallj@saic.com>" gpg:                aka "James F. Small, Jr. <smallj@small.cx>" gp
        g: Signature made Sat Oct  7 17:47:33 2000 PDT using DSA key ID 1427727E
        gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg:                aka "Jim Small <smallj@pacbell.net>" gpg:                aka "James F. Small, Jr. <smallj@saic.com>" gpg:                aka "James F. Small, Jr. <smallj@small.cx>" gp
        g: Signature made Sat Oct  7 17:47:33 2000 PDT using DSA key ID 1427727E
        gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg:                aka "Jim Small <smallj@pacbell.net>" gpg:                aka "James F. Small, Jr. <smallj@saic.com>" gpg:                aka "James F. Small, Jr. <smallj@small.cx>"

    If you have more than one  cleartext signature in a file (or  pipe
    that to gpg), gpg does  not compare each signature but  flags each
    document as  good or  bad depending  on the  first document in the
    file.  This is a very serious bug in gpg's verification function.

Solution

    A snapshot version which corrects this bug available at:

        ftp://ftp.guug.de/gcrypt/devel/gnupg-1.0.3b.tar.gz
        ftp://ftp.guug.de/gcrypt/devel/gnupg-1.0.3b.tar.gz.sig

    This version also comes with  AES support but there are  still the
    same problems  with building  on Solaris  and HP/UX  as in  1.0.3.
    This problem has been in GnuPG since the beginning but Jim's seems
    to be the first  one who noiced that.   This bug is just  one more
    prove that "given  enough eyeballs all  bugs are shallow"  can not
    be held true when  it comes to the  security bugs; well, the  bugs
    are probably found faster - but most times only be coincedence.

    For Debian:

        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/gnupg-1.0.4-2.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/gnupg-1.0.4-2.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 7.0: 7.0/RPMS/gnupg-1.0.4-2mdk.i586.rpm
                            7.0/SRPMS/gnupg-1.0.4-2mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/gnupg-1.0.4-2mdk.i586.rpm
                            7.1/SRPMS/gnupg-1.0.4-2mdk.src.rpm

    For Red Hat:

        ftp://updates.redhat.com/6.2/alpha/gnupg-1.0.4-4.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/sparc/gnupg-1.0.4-4.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/gnupg-1.0.4-4.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/gnupg-1.0.4-4.6.x.src.rpm
        ftp://updates.redhat.com/7.0/i386/gnupg-1.0.4-5.i386.rpm
        ftp://updates.redhat.com/7.0/SRPMS/gnupg-1.0.4-5.src.rpm

    Update for  Immunix OS  6.2 (StackGuarded  versions of  the RedHat
    packages) can be found at:

        http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/gnupg-1.0.4-4.6.x_StackGuard.i386.rpm
        http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/gnupg-1.0.4-4.6.x_StackGuard.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-1cl.i386.rpm

    Trustix recently released  updated package of  gpg.  Users  of TSL
    1.0x and  1.1 that  worry about  local security  should definitely
    upgrade:

        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/gnupg-1.0.4-2tr.i586.rpm
        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/gnupg-1.0.4-2tr.i586.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/gnupg-1.04.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/gnupg-1.04.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/gnupg-1.04.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/gnupg-1.04.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/gnupg-1.04.tgz

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.dsc
        http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.4-1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.4-1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.4-1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.4-1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.4-1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.4-1_sparc.deb


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH